In a judgement delivered today (6 October 2015) the European Court of Justice has held that the Commission's decision that the US safe harbor provides an adequate level of protection is invalid.

This will now present a major challenge to a number of large US multinational businesses which regularly store personal data in the US.

As the safe harbors process is no longer considered sufficient in itself, companies will now have to individually assess whether or not the transfer of personal data to the US is permitted in individual circumstances. Given that the US Federal Trade Commission has investigated the validity of safe harbor registrations and has found many to be lacking and the revelations of data hacking and snooping by US government organisations disclosed by Edward Snowden, it is unlikely that US companies can demonstrate an adequate level of protection.

The Court has ruled that, in effect, national data protection agencies cannot wash their hands over the export of personal data to the US, citing the existence of safe harbors as their justification for doing so.

Of significance is the following statement:

"Without needing to establish whether that scheme ensures a level of protection essentially
equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable
solely to the United States undertakings which adhere to it, and United States public authorities are
not themselves subject to it. Furthermore, national security, public interest and law enforcement
requirements of the United States prevail over the safe harbour scheme, so that United States
undertakings are bound to disregard, without limitation, the protective rules laid down by that
scheme where they conflict with such requirements. The United States safe harbour scheme
thus enables interference, by United States public authorities, with the fundamental rights of
persons, and the Commission decision does not refer either to the existence, in the United States,
of rules intended to limit any such interference or to the existence of effective legal protection
against the interference..".

This ruling will cause considerable problems for many companies who will have to immediately cease transferring personal data to the US from the EU.

In the US Microsoft is currently appealing a court decision which required it to disclose personal data held in its Irish data centre pursuant to a valid search warrant obtained by US authorities. Today's Court of Justice ruling does not address this issue, but it is clearly related.

Does this mean that all of Microsoft's Office 365 infrastructure, provisioned via the cloud, is now illegal? What about Amazon, Facebook, twitter, tumblr ..... ?

Regulation of drones - EU Working Party Opinion

Drones can undoubtedly provide significant advantages and benefits by enabling a cost-effective and quick way to survey land and events from the air. Technological advances are encouraging their adoption and also the immediate use of any information provided by them.

The rapid deployment of a drone at an accident scene, for example, could allow for close up realtime streaming of video to news broadcasters. That drone could also prevent the deployment of an air ambulance, perhaps leading to the death of a person because rapid medical care was prevented. As drones move away from being flimsy plastic toys to solid constructions with significant metal parts the risk of damage to rotors and engines increases, presenting real risks to planes and helicopters.

In May 2011 we
prepared a guidance note on the amendments to The Privacy and Electronic Communications (EC Directive) Regulations
2003 (link). Back then businesses were given a 12 month
moratorium on compliance and enforcement by the Information Commissioner. That moratorium ends on 25 May 2012.

Since then not a lot
seems to have changed. Most websites
appear to have done little to deal with the new rules (i.e. the "opt in"
requirement) - the BBC website being a
notable and elegant exception.

This makes
enforcement by the ICO problematic, except for the worst offenders. However, widespread changes will not occur
until the ICO starts handing out fines.

What does this mean
for your business? In short, if you
haven't already you need to start work immediately on identifying what cookies
are used and the data they track; then you need to decide whether or not the
use of those cookies is justified; and, finally, you may need to get explicit
consent for the remaining cookies you decide to use.

For an explanation of
the changes to the law itself please see our May 2011 guidance note (link).